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ABSTRACT 

This  paper  presents  a semantic  model  for  parallel  systems  with  a 
scheduling  mechanism  that  is  useful  for  expressing  and  proving  a wider 
range  of  properties  than  semantic  models  which  do  not  consider 
schedul ing. 

Ue  formally  describe  a number  of  properties  related  to  schedul ing  and 
deadlock,  including  "Fairness"  and  "Fullness",  and  show  that  echedulere 
with  these  properties  behave  in  deslreable  ways. 


Lastly,  we  prove  and  conjecture  some  proof  rules  for  scheduled  systems 
and  outline  briefly  the  relation  of  thiB  work  to  modelling  protection  in 
parallel  systems. 
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INTRODUCTION 

Based  on  Scott’s  Mathematical  Theory  of  Computation  [Scott  721,  Cadiou 
& Levy  [Cadiou  8 Levi;  731  and  Milner  [Milner  731  have  introduced  a model 
of  parallel  processes  based  on  processes  that  communicate  by  sharing 
memory,  and  have  shown  now  to  state  and  prove  properties  such  as  mutual 
exclusion  formally  within  the  mechanizable  LCF  system. 

They  treat  nondeterminism  by  introducing  an  oracle  from  the  domain  TT* 
(sequence  of  truth  values,  see  [Kahn  73]).  The  determination  of  which 
process  to  execute  next  depends  on  an  initial  sequence  of  the  oracle, 
uith  ths  new  oracle  becoming  the  remainder. 

In  rn'»te  of  the  elegance  of  their  system,  they  are  unable  to  prove 
certain  properties  of  parallel  systems  that  one  would  expect  to  be  true. 
Primarily  this  trouble  stems  from  the  difficulty  of  characterizing  the 
well-behavedness  of  their  oracle.  By  using  a model  derived  from 
Lipton’s  work  [Lipton  731,  we  replace  the  oracle  with  a scheduler  and 
9tate  a property  of  schedulers,  fairness,  which  is  shown  to  be  adequate 
to  prove  a property  of  a particular  parallel  system  that  is  difficult  to 
express  in  Cadiou  8 Levy’s  system. 

Lie  first  present  a variation  of  Cadiou  8 Levy’s  model  and  note  some  of 
its  problems.  Lie  then  introduce  a model  with  a scheduling  formalism 
that  solves,  these  difficulties.  The  remainder  of  the  paper  contains 
properties  and  proofs  using  the  scheduling  model,  as  well  as  additional 
comments. 


MODELS  FOR  PARALLEL  PROCESSES 

The  models  for  parallel  processes  we  will  invetigate  in  this  paper 
have  3 important  features. 


1)  Processes  - Lie  will  always  consider  a variable  number  of  processes, 
each  of  which  may  be  in  one  of  three  stages,  runnable,  blocked  or 
stopped. 

2)  Indivisibility  - Processes  are  . ided  into  indivisible  actions 
(instructions)  called  elementary  processes  or  EP’s.  Uhen  a process  is 
selected  to  run,  it  executes  exactly  oi  e EP,  after  which  a new  decision 
is  made  about  which  process  should  be  scheduled.  Concurrent  execul ion 
of  parallel  processes  ie  modelled  by  sequential  interleaving  of  actions 
from  the  various  processes. 

3)  Abstract  Machine  - Two  main  approaches  have  emerged  for  proving 
general  properties  about  programs  (i.e.  - Termination  and  Equivalence  as 
well  as  Correctness),  the  Functional  approach  [Scott  8 Strachey  73] 
(related  is  the  Relational  approach,  see  [deBakker  74],)  and  the  Abstract 
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Machine  approach  (Wegner  721. 

The  Functional  approach  maps  a program  directly  into  a mathematical 
function;  the  meaning  of  a program  is  then  just  the  value  of  the 
corresponding  function.  Not  only  is  the  technique  elegant,  but  a formal 
system,  LCF  (Logic  for  Computable  Functions)  (Milner  721  has  been 
developed  and  mechanized  in  uhich  one  can  prove  properties  about 
computable  functions.  Cadiou  & Levy  and  Milner  use  such  an  approach  in 
their  respective  papers  on  semantics  of  parallel  programs. 

The  Abstract  Machine  appFoach  defines  a programming  system  via  a 
formal  definition  of  an  abstract  machine.  The  meaning  of  a Pj'°9|'afn  1 s 
then  the  result  of  its  execution  on  their  abstract  machine.  Much  o 
what  might  be  considered  nelegant  about  this  technique  is  due  to  its 
awkwardness  in  modelling  the  execution  of  statements  w'th  complex 
control  structures. 

However,  in  the  parallel  systems  we  will  be  describing,  there  is  only 
one  language  construct,  the  EP.  We  are  thus  in  the  unusua  position  of 
being  able  to  produce  an  abstract  machine  definition  that  is  as  simple 
and  somewhat  less  opaque  than  the  corresponding  functional  seman  ics. 

Of  course,  one  question  remains  - how  to  define  the  Abstract  Machine. 
Ue  choose  to  define  the  machine  interpreter  as  a computable  function, 
thus  making  the  tools  of  LCF  available  for  our  proofs. 

(As  we  note  in  the  conclusion,  we  expect  work  on  semantics  for 
parallel  systems  to  come  full  circle,  that  is,  back  to  languages  that 
have  the  appropriate  structures  for  parallel  control.  It  is  likely  that 
an  Abstract  Machine  approach  would  then  be  unsuitable.) 


A VARIANT  OF  CADIOU  & LEVY’S  MODEL 

In  producing  an  Abstract  Machine  version  of  Cadiou  & Levy’s  model,  we 
divide  the  state  of  the  model  into  2 parts,  S,  the  Data  state  and  K,  the 
Control  state. 

The  Control  state,  K,  can  be  viewed  as  a binary  process  tree  whose 
leaf  nodes  represent  processes.  The  interior  nodes  of  the  tree  conta  n 
either  "//"  which  indicates  parallel  execution  of  its  two  subtrees  or 
">v"  which  indicates  sequential  execution,  that  is,  no  process  in  the 
right  subtree  can  run  until  all  processes  in  the  left  subtree  have 
stopped.  For  example:  \ 
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— ^ // 

I 

>v 

I II 

— // C D 

I I 

A B 


A,.B,  0 and  E are  runnable.  C ie  blocked  until  both  A & B etop.  F ie 
blocked  until  E stops. 

The  Abstract  Machine  selects  a leaf  node  representing  a runnable 
process.  It  executes  a single  EP  which  first  modifies  the  state  S,  and 
then  produces  a process  tree  which  replaces  the  node  selected,  thus 
becoming  a subtree  of  K.  The  subtree  may  be  simply  a single  node,  uhich 
can  be  used  to  represent  the  continuation  of  the  same  process,  a 'V 
construct,  which  can  be  used  to  represent  the  call  of  a subroutine,  or  a 
"//"  construct,  which  can  be  used  to  represent  the  spawning  of  a 
subprocess.  In  addition,  a node  can  be  the  element  ISTOPI  which 
indicates  the  process  has  stopped. 

All  processes  execute  the  same  program.  Ue  can  view  programs  as 
labelled  flowcharts,  where  it  is  the  EPs  that  are  labelled.  For 
example,  the  flowchart 

> P(sem)  > V(sem)  

I I 


can  be  represented  by  the  following  program  with  labels  P & V, 

P:  sem  > 0 — > ( sem  «-  Bern  - 1 -■>  V ) , ■■>  J 

V:  sem  ♦-  sem  + 1 -»>  P 

(Note:  Read  >"  as  "goto"  and  "a  -->  b,  c"  as  "if  a then  b else  c") 

The  leaf  nodes  of  K either  contain  STOP  or  the  label  of  the  EP  the 
process  was  executing.  So,  the  process  tree  for  a system  in  which  two 
processes  are  executing  the  P/V  loop  program  above  might  be 

// 


P P 

The  data  state  S contains  an  element  sem. 

In  the  formal  model,  the  abstract  machine,  given  S and  K determines 
the  "Next1'  etate  of  S and  K by  selecting  a runnable  node  from  K and 
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executing  the  EP  it  represents  thus  changing  both  S and  K. 

O 

To  select  the  runnable  EP,  we  use  an  oracle,  an  infinite  sequence  of 
truth  values.  We  start  at  the  root  of  K and  work  our  way  towards  a leaf 
node.  Each  time  we  encounter  a "//"  with  runnable  nodes  (not  (STOP))  in 
each  subtree,  we  pick  off  the  first  element  of  the  oracle  and  use  it  to 
decide  which  subtree  to  continue  down.  In  the  formal  model,  the  "Next" 
function  implements  the  abstract  machine  as  as  recursive  tree-walk. 

FORMAL  MODEL  - Cadiou  & Levy  Adaptation 
Primitive  Domains 
S - memory  state 

TT  - truth  value  ( elements  tt,  ff  and  uu  - 
• we  also  use  "uu"  to  represent  the  least  defined  element  of 
any  domain  and  let  the  user  rely  on  context  to  determine  the 
appropriate  domain  ) 

LABEL  - label 

Constructed  Domains 

1 

ORACLE  ■ TTvf  (sequence  of  truth  values) 

EP  - S — > K x S 

K - (STOP)  + LABEL  + K x (*,//}  x K 

I'  PROG  - LABEL  — > EP 

The  "Next"  function  uses  the  oracle  to  pick  a runnable  EP  from  K, 
reluming  the  resulting  process  tree  as  well  as  the  updated  state  and 
the  remainder  of  the  oracle. 
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Next:  K x S x ORACLE  — > K x S x ORACLE 
Next (k, s, ora) 

Case  k of 

STOP  — > <k,s,ora>, 

<q,//,r>  — > ( 

Stop(q)  — > Next  (r, s, ora) , 

Stop(r)  — > Next (q, s, ora) , 

Hd(ora)  -->  Mk ( M.<t,//,r>,  Next(q,s,Tl  (ora))  ), 

Mk  ( M.<q,//,r>,  Next  (r , s,  Tl  (ora) ) ) ), 

<q,*,r>  — > ( 

Stop (q)  -->  Nexttr, s,ora) , 

Mk ( At.<t,*,r>,  Next (q, 8, ora)  ) ), 

Ibl  — > <Exec ( I b I ) (s) .K,  Exec( Ibl ) (s) . S,  ora>. 

(note  that  if  AB  • A x B,  and  ab:  AB  (ab  is  of  type  AB) , then 
ue  use  ab.A  and  ab.B  to  indicate  the  projections  of  ab  onto  it’s 
A and  B components  respectively) 

The  "Exec"  function  for  a particular  program  Prog  gets  the  EP  labelled 
by  Ibl  and  executes  it  in  state  s to  produce  a new  k and  e. 

Execs  LABEL  — > [ S — > K x S 1 

Exec ( I b I ) (9)  <■■  Prog ( I bl ) (s) . 


flks  [ K ->  K 1 x I K x S x ORACLE  ] — > ( K x S x ORACLE  1 
Mk(fk,<k,a,ora>)  <■*  <fk (k) , s, ora>. 


Hds  TT*  — >‘ TT  and  returns  the  first  element  of  a sequence 

TIj  TT*  — > TT*  and  returns  the  remainder  of  a sequence 

Stop:  K — > TT  and  is  defined  so  that 

Stop(uu)  a uu,  Stop  (STOP)  m tt,  and  for  all  other  k, 

Stop(k)  b ff. 

The  result  (final  state)  of  running  k0  with  an  initial 
state  s0  and  oracle  ora0  is  Mem (k0,  s0, ora0) , where  Mem  is 
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!1em(k,s,ora)  <-- 
Stop(k)  — > e, 

Mem (Next (k, s, ora) ) . 


(An  alternate  model  perhaps  closer  to  current  languages  and  systems 
might  use'  instead  of  "//",  uhere  spawns  a totally  independent 
process.  Thus  in  «p,//,q>,>v,r>,  r can  only  execute  after  both  p and  q 
STOP.  In  «p,&,q>,*,r>  r can  execute  aflcr  p STOPs,  regardless  of  what 
happens  to  q.  And,  <<ST0P,&,q>,*,r>  would  act  like  <r,&,q>  if  a 
semantic  description  were  to  be  given.  However,  wc  will  not  pursue  it 
further  in  this  paper.) 


The  key  departure  from  Cadiou  & Levy  is  that  K is  represented  by  a 
"syntactic"  data  structure  rather  than  by  being  embedded  in  a purely 
functional  structure  and  "//"  and  V are  used  here  as  purely  syntactic 
entities  rather  than  as  instances  of  more  general  process  combinators. 

A number  of  other  changes  have  been  made  to  produce  an  Abstract  Machine 
model  from  their  functional  model,  but  none  significantly  affect  the 
problems  of  the  model. 

The  main  advantage  of  thp  adaptation  has  been  that  we  have  separated 
the  selection  of  a process  to  be  executed  from  its  execution.  Thi9 
suggests  the  substitution  of  a scheduler  for  the  oracle. 


FACTORS  IN  CHOOSING  A MODEL 

There  are  three  major  concerns  that  have  prompted  the  development  of 
the  scheduling  model  that  will  be  the  focus  of  the  rest  of  the  paper. 

1)  It  is  difficult  (at  best)  to  characterize  anomalous  oracles,  Since 
anomaly  depends  so  heavily  on  the  changing  nature  of  the  state  and 
control.  For  example,  in  the  2 process  P/V  loop  example,  Cadiou  & Levy 
are  only  able  to  prove  that  one  or  the  oth  r will  run  forever,  while 
under  a reasonably  "fair"  scheduler , we  would  expect  both  to  run. 
forever.  By  providing  a model  with  a scheduler,  we  can  characterize  the 
scheduler  in  such  a way  that  anomalous  schedules  can  be  avoided.  Thus, 
we  will  replace  the  Oracle  by  a Scheduler  which  has  access  to  the  state 
of  the  system  and  specifies  a particular  process  to  be  run  as  well  as 
producing  a new  scheduler  to  schedule  the  next  process  (presumably  by 
modifying  internal  variables  or  queues). 

2)  He  wish  to  model  situations  where  one  process  may  arbitrarily 
start,  stop  or  otherwise  control  another  process.  Thus,  instead  of  K, 
the  model  contains  a multiplexor  M,  which  may  viewed  as  a vector  of 
processes.  The  Scheduler  specifies  a process  to  be  run  by  supplying  an 
integer  index  into  M.  M is  also  more  general  than  K in  that  for  each 
process  we  associate  not  only  a label  indicating  the  current  control 


6 


Semantic  Models  for  Darallel  Systems 


point,  but  a separate  program  as  uell. 

3)  Ue  wish  to  characterize  processes  which  are  blocked,  so  that  the 
scheduler  can  choose  not  to  attempt  to  run  such  a process.  Ihus, 
fol  lowing  Upton  ILipton  73),  ue  provide  each  EP  mth  a ^"^°mza,lon 
part  which  can  be  used  to  determine  which  processes  are  blocked. 

An  EP  corsists  of  3 parts,  all  executed  indivisibly  of  course.  The 
first  part,  (SYNCHFORM) , represents  a synchronization  condition.  It 
the  Scheduler  schedules  a process,  and  the  synchron  zat ion  cond. t o , 
ts  current  EP  is  not  met,  no  action  is  taken,  and  the  Scheduler  I s < 
simply  invoked  to  schedule  again.  If  the  synchron. zat  ion  ' 8 

met,  the  other  2 parts  of  the  EP  are  executed.  One  par  (STATEFORM 
changes  the  data  state  <S)  of  the  system,  and  one  prrt  (^NTR0LF0R«) 
changes  the  control  state  (II)  of  the  system  (specifying  the  label  of 
next  EP  of  the  current  process  or  starting,  stopping  or  °^£Ml”jch 
controlling  another  process.  There  is  one  special  labe  , . 

denotes  the  completion  of  s process). 

Evaluation  of  "Next"  proceeds  in  the  following  way:  First  the 

Scheduler  produces  an  index  into  the  Multiplexor  (as  we  I as  a new 
Schedu I er  to  schedule  the  next  iteration)  If  the  label  indexers 
"STOP",  then  no  further  action  is  .aken  th : s ' terat  oi n*  / * d 

labelled  EP  is  executed.  First  its  synchronization  condition  Is  tested. 
If  ^alse.  no  further  action  takes  place  with  the  EP.  If  true  t houg  the 

rest  r.t  the  EP  is  evaluated  to  update  both  the  data  state  (S)  and  the 
multiplexor  (M) . 


THE  FORMAL  MODEL 


Pr imi ti ve  Domains 

TT  - truth  values 
N - natural  numbers 

LABEL  - labels,  including  the  element  STOP 
ARG  - function  argument 
NAME  - names  of  functions 
S - states 
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Constructed  Domains 

SYNCHFORM  - NAME  x ARGS 

STATEFORM  - NAME  x ARGS 

CONTROLFORM  - NAME  x ARGS 

EP  - SYNCHFORM  x STATEFORM  x CONTROLFORM 

M - N — > PROG  x LABEL 

PROG  - LABEL  — > EP 

ARGS  - (<>)  + ARG  x ARGS  (We  uill  use  standard  tuple  notation 

and  thus  represent  <a,  <b,  <c,  <»>>  as  <a,b,c>) 

SM  - S x M 


The  Scheduler 

SCHED  - S x M — > N x SCHEO 


Primitive  Functions 

Synchfn:  NAME  — > C ARGS  -->  ( S — > TT  ] I 

Statefn:  NAME  -->  ( ARGS  — > ( S -->  S x ARGS  ] ] 

Controlfns  NAME  — > ( ARGS  — > C ARGS  — > I M — > Mill 

For  reasons  discussed  in  the  section  on  Schedulur  Notes,  ue  model  the 
various  FORMs  as  a function  name  and  an  argument  list.  To  evaluate  the 
functior,  ue  must  provide  a uay  of  mapping  the  name  of  the  function  to 
the  function  itself.  That  is  uhat  the  three  primitive  functions  do. 

They  are  also  guaranteed  to  be  total.  It  is  left  to  the  reader  to 
imagine  hou  they  can  be  extended  reasonably  to  total  functions  in  the 
cases  uhere  the  name  is  undefined  or  the  arguments  are  inappropriate.  It 
is  important  to  note  that  arguments  to  Synchfn’ s and  Statefn’ s uill  not 
necessarily  be  values  but  uill  more  likely  represent  variable  names  used 
to  select  a value  from  s.  Thus  ue  are  not  providing  an  abstract  model 
of  storage,  but  rcther  modelling  at  a higher  level  of  abstraction. 


The  Interpreter 

Next:  S x M x SCHED  — > S x M x SCHED 

Next  (s,  m,  sched)  <>*« 

Let  <n,8Ched’>  be  sched(s,m)  in 
m(n). LABEL  - STOP  — > <s,m, sched’ >, 

Let  <s’,m’>  be  Exec(n)(s,m)  in  <s’,m’,sched’>. 

(note  that  if  AB  - A x B,  and  ab;  AB  (ab  is  of  type  AB),  then 
ue  use  ab.A  and  ab.B  to  indicate  the  projections  of  ab  onto  it's 
A and  B components  respectively) 
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Given  an  index  into  the  multiplexor  and  a multiplexor,  Action  produces 
the  designated  EP. 

Action:  N x II  — > .EP 

Act i on (n)  (m)  <«■  (m (n)  .PROG) (m(n) .LABEL) . 


Given  an  index  into  M,  ab  uell  as  S S M,  Exec  executes  the  designated 
EP  to  produce  a new  S S H. 


Exec:  N — > [ S x M — > S x M 1 


Exec (n)  (s, m)  <•** 

Let  <syfrm, stfrm, cfrm>  be  Action(n)(m)  in 
Synchfn (syfrm.NAHE)  (syfrm. ARGS) (s)  — > ( 

Let  <s' .resul t>  be  Statefn (stfrm. NAME)  (stfrm. ARGS) (s)  in 
<s’  .Control  fn  (cfrm.NAME)  (cfrm,  ARGS)  (resul  t)  (m)  > ) , 

<s, m>. 


The  reader  is  encouraged  to  look  ahead  to  the  Applications  section  for 
an  example  of  how  a particular  system  Mould  be  modelled. 

In  this  model  (as  in  actual  systems),  it  is  not  so  clear  when 
computation  stops  (for  example,  an  idle  process  may  run  in  an  Operating 
system  when  nothing  can  otherwise  bs  scheduled).  However,  for 
simplicity,  we  will  assume  a continuous  predicate,  Mstop. 

Ms  top:  S x M x SCHED  — > TT 

For  example,  if  the  scheduler  returns  a zero  index  when  there  is 
nothing  to  schedule,  then  we  could  define  Mstop  as: 

* 

Ms  top  (s,  m,  sched)  <-■  ( sched(s,m).N  ■ 0 ). 

In  any  case,  ue  can  define  the  result  (final  state)  of  running  m0  with 
state  s0  and  scheduler  sched0  as  Mmsm(s0,m0,sched0)  where  Mmem  le 
defined  as 

Mmem  (s,  m,  sched)  <— 

Mstop(s,m, sched)  — > s, 

Mmem (Next (s, m, sched) ) . 
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PROPERTIES  OF  SCHEDULERS 

Treatment  of  schedulers  in  this  paper  ui  1 1 be  independent  of  any 
particular  synchronization  primitives  (e.g.  P/V,  P/Vchunk,  ufc>/doun)  and 
any  particular  implementation  or  internal  structure  of  the  echeduler 
(e.g.  FIFO  queues  priority  order),  rather  ue  simply  express  a number  of 
scheduler  proper' ies  using  the  model.  The  properties  described  are 
either  ones  that  nil  I be  used  later  in  the  paper,  or  ones  that  have 
appeared  already  in  the  literature.  A comparison  of  these  propertiee  by 
example  can  be  found  in  the  Applications  section  of  this  paper. 

The  properties  as  described  are  dependent  heavily  on  S & II  as  well  as 
the  scheduler,  wheras  commonly,  we  are  simply  interested  in  a property 
of  a echeduler  independent  of  what  it  schedules.  The  section  of  this 
paper  on  Scheduler  Notes  indicates  how  this  problem  may  be  solved. 

Notes:  Ue  will  be  using  "process  j"  to  indicate  the  continuing 
behavior  of  the  contents  of  fl(j). 

Ue  use  the  notation  C to  mean  less  defined  than  - aleo 

, ■ - Strong  equivalence  ( a ■ b iff 

a C b a b t a ) 

E - Strictly  less  defined  than  ( a E b iff 
a E b a -i(a«b)  ) 

Note  that  sequence  domains  (e.g.  TT*)  are  ordered  by 
uu  G a C (a  tt  b)  and  a « a tt  uu 

where  "tt"  is  the  concatenation  operator. 


1)  Def ined(sched) (s,m) 


tt*  <—  tt  tt  tt*.  (The  symbol  "tt*"  is  to  be  the  least  fixed 
point  of  this  equation  - which  can  be  seen  to  be  the 
infinite  string  of  "tt"s.) 

Def  (e.m.sched)  <--  tt  tt  Def  (Next  (s,m,  sched) ) . 

Def  ined(sched) (s,m)  iff  Oef (s, m, sched)  ■ tt* 

» • 

2)  Ful I (sched) (s,m)  - A scheduler  is  full  if  it  doee  not  schedule  an 
unrunnable  process  when  a runnable  process  can  be  run. 

1 

ICanrun (k) (s,m)  <== 

m(k). LABEL  - STOP  — > ff, 

( Let  eyn  be  Action(k)  (m)  .SYNCHFORM  in 
Synchfn (sun. NAME)  (syn.ARGS)  (s)  ). 
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1 

) 


Runnabl e ( j ,k) (s, m, sched)  <«= 

( j sched(s,m).N  v Canrun( j)  (s,m)  v -Canrun(k) (s,m)  ) 
tt  Runnabl e ( j, k)  (Next (s,m, sched} ) . 

Ful  I (sched)  (s,  m)  iff  (Vj,k)(  Runnablet  j,k)  (s,m,  sched)  C tt*  ) 


3)  Releasefsched)  (s,m)  - A scheduler  is  a release  scheduler  (Lipton 
73)  if,  uhen  some  action  unblocks  a set  of  processes,  then  some  process 
from  that  set  ui  I I be  the  next  to  run. 

Unblock  (k)  (s,m,  sched)  <— 

Let  <s’ , m’ , sched’ > be  Next  (s,  m,  sched)  in 
( Canrun(k) (s,m)  — > tt, 

Canrun(k) (s’ , n’ ) — > ( 

Let  n’  be  sched’ (s’ ,m* ) .N  in 
n’  - k — > tt, 

-’Canrun(n* ) (s,m)  a Canrun(n’ ) (s’  ,m’ ) ), 

tt  ) 

tt  Unblock (k) (s’ ,m’ , sched* ) . 

Re  I ease  (sched)  (b,  m)  iff  (Vk)  ( Unblock(k)  (s,m, sched)  £ tt*  ) 


4)  Ready\Run(8ched)  (s,m)  - A scheduler  has  the  Ready  Run  property  uhen 
no  process  has  to  uait  forever  to  run  from  the  time  it  becomes 
continuously  capable  of  running.  Ue  actually  state  this  in  the  logic  as 
- any  process  uhich  is  unable  to  run  at  most  a finite  number  of  times 
must  run  infinitely  often.  Some  thought  should  convince  the’reader  that 
these  are  the  same. 

Run(  j)  (s,m, sched)  <-= 

t(  j - sched(9,m).N  a Canrun( j)  (s,m)  ) 
tt  Run ( j) (Next (s,m, sched) ) . 

t(p)  <—  p — > tt,  uu. 

Cantrun ( j) (9,m, sched)  <■■ 

t(-Canrun(  j)  *9,m) ) tt  Cantrun(  j)  (Next  (s, m,  sched) ) . 

Ready\Run(9ched) (9,m)  iff 

(Vj)  ( Cantrun(  j)  (s,m,9ched)  E tt*  d Run(j)  (s,m, sched)  ■ tt*  ) 


5)  Pointer\0ounded(9ched)  (9,m)  - A scheduler  is  pointer  bounded 
[Lipton  733  uhen  a process  able  to  run  infinitely  often  is  scheduled 
infinitely  often.  (Ue  ui  1 1 see  in  the  Application  section  that  both 
ReadyXRun  and  Po inter \Bounded  are  too  ueak  and  that  Fairness  is  a more 
appropriate  property) 
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Tr  i ed  (k)  (9,  m,  9ched)  <■»» 

t(  k » sched(s,m).N  ) U Tr  ied(k)  (Next  (9, m, ached) ) . 

Infcan(k) (s,m, sched)  <-» 

t (Canrun (k)  (s, m) ) # Infcan(k) (Next (s,m, 9chdd) ) . 

Pointer \Bounded (sched) (s,m)  i f f 

(Vk)  ( I nfcan (k)  (9, m,  9ched)  s tt*  d Trled(k)  (s,m, sched)  ■ tt*  ) 


6)  Fair (9ched) (s,m)  - A scheduler  is  fair  if  any  process  able  to  run 
infinitely  often,  runs  infinitely  often  at  times  that  it  canrun  (Is  not 
blocked  or  stop) 

Fair (sched) (s,m)  i f f 

(Vk) ( Infcan(k) (s,m, sched)  b tt*  3 Run(k) (s, m, sched)  a tt*  ) 


7)  Ue  say  a scheduler  sched*  is  an  idling  extension  of  sched  if 

a)  ( 9ched(s,m)  a uu  a (Vk)  (-Canrun (k)  (s,m) ) ) — > 
sched*  (s,m) .N  ■ 0, 
sched’ (s,m) .N  a sched(s,m).N 

b)  sched’ (s,m) .SCHED  is  an  idling  extension  of  sched (s,m) .SCHED 

This  corresponds  nicely  with  the  example  definition  of  flstop  in  the 
previous  section.  It  is  easily  provable  that  every  scheduler  has  an 
idling  extension,  that  Run( j) (s,m, sched)  a Run( j) (s,m, sched’ ) and 
Def i ned (sched’ ) (s, m) . Al so  Ful  I (sched) ( s , m)  h Ful I (sched* ) (s,m)  and 
si m i I ar ly  for  Fair. 

Fairness  is  in  general  the  weakest  property  (along  with  definedness) 
that  we  would  ever  demand  of  a legitimate  actual  scheduler.  Luckily, 
fairness  (with  definedness)  will  be  adequate  for  proving  properties  that 
we  are  interested  in.  However,  proving  certain  properties  (in 
particular,  the  example  proven  in  the  next  section)  given  fairness  alone 
turns  out  to  be  somewhat  difficult,  The  key  problem  is  knowing  exactly 
when  a particular  action  will  occur,  even  when  it  is  known  that  it  must 
occur  eventually.  This  problem  often  disappears  if  the  scheduler  is 
full  as  well.  So  we  will  show  that  to  prove: 

A]  Def lned(9ched) (s,m) , Fair (sched) (s,m) , Q(j,s,m)  h 

Run( j) (s,m, sched)  ■ tt* 

it  is  sufficient  to  show  that 

Bl  Def ined(sched) (s,m) , Fai  r (sched) (s,m) , Ful I (sched) (s,  m) , Q(j,s,m)  h 

Infcan(j) (s,m, sched)  ■ tt* 
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Proofs 

Suppose  there  were  a function  Ful  l.sched:  SCHED  -->  SCHED  s.t. 
for  any  scheduler  sched, 

1)  Fu I i (Ful I sched (9ched) ) (s,m) 

2)  bun( j) (s.m.Ful I sched (sched) ) ■ Run(j) (s,m, sched) 

3)  Infcan( j) (9,m,Ful 1 9ched (sched) ) C Infcan(j) (s,m, sched) 

« 

Now,  suppose  Defined  (sched) (s.m) , Fair (sched) (s,  m) , Q(j,s,m), 
but  Run(  j)  (s,m,  sched)  il  v t* 

S ince  Fair (9ched) (s,m) , Infcant  j)  (s,m,  sched)  E tt* 

Thus  by  (1),  (2)  and  (3), 

Fu 1 1 (Fu I 1 9ched (9ched) ) (s.m). 

Run (j) (s.m, Full 9ched (9ched) ) E tt*  and 
Infcant j) (s.m.Ful lsched(9ched))  E tt* 

Then  trivially.  Fair  (Ful  I sched(sched) ) (s,m) , by  defn  of  Fair 

Now,  let  f sched  be  an  idling  extension  of  Fui I sched (sched) . Then 
Def  ined(fsched)  (s.m) , Fa ir.(f sched)  (s,m) , Fui  i (fsched)  (s,m)  and 
Run ( j) (s,m, f sched)  E tt* 

If  we  can  prove  IB),  then  Infcan  ( j)  (s,m,  fsched)  ■ tt*,  and 
by  defn  of .Fair,  Run( j) (9,m, fsched)  ■ tt*. 

Thus,  we  have  a contradiction  to 
Run(j) (s,m, fsched)  E tt*,  and  therefore  the  original 
hypothesis  that  Run( j)  (s,m, sched)  E tt*  must  be  false.  Since 
it  i 9 easily  shown  that  Run(  j)  (s,m, sched)  C tt*, 
it  must  be  the  case  that  Run ( j)  (s.ffl, sched)  ■ tt*  and 
[A]  follows. 

Definition  of  Fuilsched  and  proofs  of  1),  Z)  and  3)  can  be 
found  in  the  Appendix. 

APPLICATIONS 

Some  notion  of  the  properties  in  the  section  above  can  be  gained  by 
consideration  of  the  example  (adapted  from  [Upton  721)  of  3 processes, 
each  executing  the  loop: 

___> > P(sem)  > V(sem) 
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where  the  initial  value  of  sem  is  1. 

(He  will  describe  execution  sequence  as  a sequence  of  pi  and  vi, 
i -1,2,3  to  denote  the  execute  of  a P or  V by  the  j ’ th  process) 

Under  a scheduler  that  is  merely  defined  and  full,  the  execution  could 
simply  be 

pi  vl  pi  vl  pi  vl  pi  vl  ... 
that  is,  processes  2 and  3 might  never  execute. 

If  the  scheduler  is  additionally  a Release  scheduler,  the 
execution  could  be 

pi  vl  p2  v2  pi  vl  p2  v2  pi  vl  p2  v2  . . . 

that  is,  vl  releases  P of  processs  2 and  v2  releases  pi,  but  again 
process  3 might  never  be  executed. 

If  the  scheduler  additionally  has  the  Ready \Run  property,  it  helps 
matters  not  at  all,  since  process  3 is  never  continuously  capable  of 
running.  It  is  blocked  each  time  process  1 or  2 executes  a P.  Likewise 
the  Po i nterNBounded  property  does  not  help,  since  process  3 might  only 
be  tried  when  it  is  blocked. 

If  the  scheduler  though  is  merely  defined  and  fair,  each  of  pi,  p2, 
p3,  vl,  v2  and  v3  must  execute  infinitely  often. 

He’ll  prove  that  last  statement  for  the  more  general  case  where  there 
are  n processes.  As  already  noted,  this  is  a problem  that  Cadiou  & Levy 
would  have  difficulty  proving. 

To  simplify,  we’ll  assume  that  the  state  s is  identically  sem,  and 
we’ll  define  the  following  functionsi 

true  0 (s)  <»«  tt. 

tst  0 (s)  <==  ( ■ s > 0 ) . 

inc()(s)  <--  <s+l,uu>. 

dec()(s)  <==  <s-l,uu>. 

go  (<n,  lb  I >)  (res)  (m)  <-«  >vk.  ( k - n — > <m(n)  PROG,  lbl>,  m(k)  ). 

Introducing  some  notation,  we  use 

I b I : Hhen  syf(sya)  do  stf(sta)  »»>  cf(ca) 
to  represent  the  EP 

» 

<<syf , sya>,  <st f , sta>,  <cf , ca» 


14 


Semantic  Models  for  Parallel  Systems 


arauneM?6  EP  '?.labeMed  bU  Mhar.  aUa,  sta  or  ca  are  <>  (no 

arguments),  ue  eliminate  parentheses  as  uell.  Ue  further  use  the 
no  ta  1 1 on 


:n«>  Ibl (args) 


for 


■>  GO (n, Ibl,  args) 


(note:  Function  definitions,  like  "go",  have  their  names  in  lower 
case.  The  formal  name,  like  "GO"  (from  the  domain  NAME)  is  thf 
9ame  name  written  in  upper  case.) 


So,  we  name  the  program  described  pictorial ly  above,  pvlooplj},  where 
.s  the  process  number  (index  into  M).  It  has  two  labels,  P&V,  and 
its  formal  descript. on  using  the  shorthand  notation  developed  above  Is: 


P:  When  TST  do  DEC  : j->  V 
V:  When  TRUE  do  INC  :j->  P 


Now,  the  problem  can  be  stated  in  the  logic  as,  Prove: 

DeT.ned  fschedB)  (se.mB),  Fa  ir  (schedBMsB,  mB) , Range(j)  H 
Run(j) (s0, m0, schedB)  » tt* 


where 


m0  <--  *j.(  Range  (j)  - > <pvloopC j] ,P>,  <uu,ST0P>  ). 
so  <■•  l , 

Range  (j)  j > 1 a j $ m. 


By  the  results  of  the  previous  section, 
Fu I I (sched0) (s0, m0)  and  simply  pr jve 
Infcan( j) (s0,m0, schedB)  ■ tt»v.  . 


we  can  hi  so  assume  that 


PROOF: 


Def  ined  (schedB)  (s0,m0) , Fair  (schedB)  (s0,m0), 
Fu 1 1 (schedB) (s0, m0) , Range(j)  F 

Infcan(j) (sB.mB, schedB)  - tt* 

Infcan2k  ( j)  (s,m,  sched)  (k)  <— 

t (Canrun ( j) (Oesc (s, m, sched) (2*k).SM)) 

J t(Canrun( j) (Oesc (s, m, sched) (2*k+l).SM)) 
n Infcan2k(j) (s,m, sched) (k+1). 


LEMMA  1 

Defined (sched) (s,m)  a Ful I (sched) (s,m)  o 

(Vk)(  Let  cs’.m’.schedS  be  Oesc  (s,m,  sched)  (k)  in 
Oefmedtsched’I  (s\m’)  a Ful  I (sched’) (s’, m’ ) ) 
Proof:  Math  Ind  on  k 
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LEMMA  2 

I nfcan2k ( j) (s, m, sched) (k)  s Infcan(j) (Desc (s,m, sched) ( 2*k ) ) 
Proof:  Parallel  Comp  lnd  on  Infcan2k  & Infcan 

LEMMA  3 

Def  ined(sched0) (s0,ffl0) , Ful I (sched0) (s0,m0)  h 
Let  <s’  ,m’ , sched’  > be  Desc  (s0,m0,  sched0)  (2>vk) , 

<s",m", sched">  be  Desc<s0, m0, sched0) (2*k+l ) , 
j be  sched’ (s’ ,m’ ) in 
Ranged)  o Canrund  ) (s’  ,m’ ) a 
Canrun( j) (s",m")  a 
i 0 j d -Canrun( i ) (s" , m") 

Proof!  Math  lnd  on  k using  Lemma  1 

t 

LEMMA  3a 

Def  i ned (sched0)  (s0,m0) , Full  (sched0) (s0,  m0) , Range(j)  P 
Canrun(  j) (Oesc(s0,m0, sched0) (2*k)  .SM)  ■ tt 

The  proof  of  the  theorem  follows  directly  from  Lemmas  2 & 3a 


Ue  can  also  state  (though  we  will  not  prove)  the  mutual 
exc I us i on,  prob I em  as 

Range  (j),  Range  (k),  j*k  h Mu  iex(s0,m0, sched0)  ■ uu 
Mutex( j,k) (s,m, sched)  <-= 

t(  m(j). LABEL  *>  r,(k). LABEL  - V ) tt  Mutex(j.k)  (Next  (s,m,  sched) ) . 


DEADLOCK 

Briefly,  we  can  state  some  deadlock  properties  in  the  logic 
based  on  the  model. 


1)  Starved(k) (sched) (s,m)  - A process  is  starved  (Dijkstra  72] 
if  it  is  not  "STOP"  and  is  continuously  incapable  of  running. 

I nf safe (k) (s, m, sched)  <-- 

f(  m(k). LABEL  • STOP  or  Canrun(k) (s,m)  ) 
tt  I nf  safe  (k)  (Next  (s,  m,  sched) ) . 

Starved  (k)  (sched)  (s,  m)  iff  Inf  safe  (k)  (s,  m,  sched)  E tt* 


2)  Deadlock  (sched)  (s,m)  - The  system  is  deadlocked  if  some 
process  becomes  starved. 
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Dead  I ock( sched)  (9,m)  iff  (3k)  (Blocked(k)  (sched)  (s,m)) 

o,  Safe  (s  m)  - He  are  often  interested,  regardless  of  the  fecheduler 
whether ^ or 9 not  a particular  set  of  processes  can  ever  lead  to  deadlock. 

the  scheduler  be  fair  and  defined. 

Safe(s.m)  iff  . . .w  _ 

(Vsched)(  Oefined(sched) (s.m)  a Fair  (sched) Is, m o . 

(Vk)  ( Inf safe(k) (sched) (s,m)  * tt*  ) ) 

Clearly,  the  P/V  system  of  the  previous  section  is  safe.  ■ 

0,  course,  i t is  in 

the"  under'a  particular  fair,  full,  defined  scheduler,  deadlock  cannot 
occur. 

Consider  s composed  of  a semaphore,  sem,  initially  0, 
k and  n in  tially  0.  and  f,  a description  of  a total  funct ion  ot 
type  N -->  TT.  And  let  m be  running  the  two  processes  mf or  y 

described  by: 


Process  1 

k :=  0; 
n : ■ 0 5 
V (sem) ; 


Process  2 


loop 


f Eval (f) (n)  then  V(sem){ 


k :«■  1? 
loop 
if  k 
P(sem) ; 
end  I oop 


0 then  V (sem) ; 


+ 1; 


end  I oop 


Nou  under  a scheduler  that  runs  process  2 first,  the  eventual  value 
Of  k will  be  0 and  there  will  never  be  deadlock,  but  if  Process  1 
first  k will  be  1,  and  determining  Safe(s.m)  becomes  eq“lV*'®nt  . 
deciding  whether  f is  true  infinitely  often,  which  is  reducible  to  the 

ha  I ting  problem. 

MODELLING  PROTECTION  SYSTEMS 

the  model  presented,  each  process  operates  on  a common  ma.org  state 
S.  Vet  in  programming  systems,  different  processes  do  have  different 
accessing  rules  for  accessing  theme.org  (e.g.  Frames,  Con  ours.  Virtual 
or  Local  Name  Spaces  and  Execution  Oomalnsl.  By  th5  EP 

multiplexor  slot  as  an  argument,  differential  accessing  of  S ea  y 
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. 


! 


c. 


be  achieved.  For  example,  i f S - N — > DOMAIN,  then  i f p is  executing  in 
Multiplexor  slot  k,  s(k)  could  represent  its  execution  domain. 

Now,  consider  the  modeling  of  a segmented  operating  system.  Process 
j’s  data  segments  would  be  part  of  S.  whereas  its  code  segment  would  be 
modeled  directly  by  the  PROG  component  of  M(j).  Ue  could  then  model  tho 
starting  of  process  n by  the  EP: 

Start:  When  TRUE  do  CONTENTS (<seg>)  — > L0ADG0(<n>) 

where  contents (<seg>) (s)  returns  as  its  result  the  contents  of  segment 
seg  (in  state  s) , and  loadgo(<n>)  loads  up  those  contents  in  M(n)  and 
begins  executing  the  process. 

I oadgo  (<n>)  (segcontents)  (m)  <— 

>vk.  ( k«n  — > <1  ink  (segcontents, n)  ,BEG!N>,  m(k)  ) 

where  link(x.n)  assembles  x into  PROG  form  with  start  address,  BEGIN 
in  process  n. 

An  interesting  byproduct  is  that  one  can  model  a process  changing  a 
data  segment  of  another  process  (possible  in  systems  with  shared  data) 
by  using  a STATEFORM,  whereas  a change  in  an  executing  process  sc =°«M 
segment  (most  likely  a bug)  can  only  be  modeled  by  using  a CONTROLFORM 
(like  LOADGO) . In  fact,  in  pursuing  this  modified  model,  just  such  a 
bug  was  discovered  in  CMU's  HYDRA  system. 

( The  bug  in  HYDRA  can  be  circumvented  by  the  use  of  "frozen"  pages 
(see  [Rotenberg  741).  A fnzen  code  page  is  permanently  protected 
against  modification,  ) 

Other  small  changes  in  the  model  make  it  more  useful  for  describing 
and  proving  properties  about  protection  systems.  [Cohen  75J  will  report 
further  results. 


A CONJECTURED  INDUCTION  RULE 

Ue  ui  I I often  want  to  prove  (for  some  predicate  Q) 

A]  Def ined(sched0) (s0,m0) , Fair(sched0) (s0,m0) , Q(j,s0,m0)  H 

Run( j) (s0,m0, sched0)  * tt* 

under  more  difficult  conditions  than  in  the  simple  example  of  the 
applications  section.  Ue  note  that  in  the  P/V  example,  process  j 
becomes  blocked  when  some  other  process,  say  k,  has  successfully 
executed  a "P".  Process  k’s  subsequent  execution  of  a "V"  will 
then  make  process  j runnable  once  more. 

This  is  an  instance  of  a more  general  observation.  Suppose  that 
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whenever  process  j is  blocked,  we  are  able  to  find  a runnable  process 
whose  execution  brings  process  j "closer"  to  becoming  runnable  and 
furthermore  execution  of  any  other  process  does  not  take  process  j 
farther  away  from  becoming  able  to  run.  If  we  can  show  that  after  doing 
this  a finite  (though  not  necessarily  bounded)  number  of  times,  process 
j actually  becomes  runnable,  then  under  a fair  scheduler  we  should  be 
able  to  show  that  process  j runs  forever.  Formally,  we  have  the 
following  induction  principle: 

Suppose  that  ( U,  < ) is  a well-founded  set  with  a set  of  least 
elements  U0  in  which  all  intervals  are  of  finite  length.  We 
write  Iwl  for  the  maximum  distance  from  w to  an  element  of  U0. 
Furthermore,  let  Assoc:  U — > ( S x M — > TT  ] and 
Closer:  W -->  N be  total  functions.  Then  to  prove  (A),  it  is 
sufficient  to  prove: 

a)  Q(j,s,m)  P Gw) ( Assoc(w) (s,m)  ) 

b)  w0  c U0,  Assoc(w0) (s,m)  P Canrun( j) (s,m) 

c)  w0  € W0,  Assoc(w0)  (s,m)  P (Vk) Gw) ( Ascoc(w) (Exec(k) (s, m) ) ) 

d)  u W0,  Assoc(w)  (s, m)  P 

. Gu  )(  lw’  I < Iwl  a Assoc(w’ ) (Exec(Closer  (w) ) (s,m) ) ) 

e)  w -c  U0,  Assoc(w)  (s,m)  P (Vk)Gw’M 

Assoc  (w* ) (s.m)  a 

( lw’ I < Iwl  v ( lw’  I ■ Iwl  a Closer(w’)  - Closer(w)  ) ) ) 

Intuitively,  we  use  an  abstraction  of  a token  machine  to  determine 
whether  or  not  process  j can  run  forever.  A token  is  always  associated 
with  some  element  w of  U depending  on  s « m.  As  EP’s  are  executed,  s & 
m change,  thus  the  token  becomes  associated  with  different  elements  of 
W.  By  proving  properties  about  the  movement  of  the  token  in  U,  we  can 
prove  that  process  j runs  forever. 

The  basic  idea  is  to  associate  the  bottom  elements  of  U,  that  is  U0, 
with  the  states  in  which  process  j canrun.  Then  when  the  token  is  not 
associated  with  an  element  of  W0,  we  must  show  that  the  token  is 
eventually  forced  down  towards  an  element  of  U0.  We  do  this  by 
demanding  that  when  w -»c  U0,  there  is  some  procesp  Closer(w),  such  that 
the  execution  of  that  process  will  force  the  token  to  an  element  w’  such 
that  lw  I < Iwl.  Furthermore  executing  any  other  process  must  have  the 
effect  that  either  the  token  is  forced  to  a w’  lower  than  w anyway  or 
the  token  moves  to  a w’  at  the  same  distance  from  the  bottom  ( Iw’l  - 
Iwl  but  such  that  Closer(u’)  - Closer(w).  Thus  in  the  case  that  we 
have  a fai.  scheduler,  process  k will  eventually  run  and  the  token  wi.l  I 
eventually  be  pushed  down  closer  toward  U0.  Since  all  intervals  are  of 
finite  length,  the  token  wi  1 1 eventual  ly  end  up  in  U0.  This  will  go  on 
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forever,  thus,  process  j will  be  runnable  forever,  and  again,  given  a 
fair  scheduler,  process  j will  actually  run  forever. 


Using  this  conjectured  induction  principle,  we  car  easily  prove  the 
PVIoop  example.  Define 

Ul  - J*)  +■  !wl uni  and  140  - !*) , under  the  ordering, 

»v  < w i , i * 1 , . . • , n . 

Let  Assoc (*) (s, m)  * s - 1 /n 

m(k). LABEL  - ( Range (k)  — > P,  STOP  ) 

and  Assoc (w i ) (s, m)  s s - 0 a 

m(k). LABEL  - ( k-i  -->  V,  Range (k)  -->  P,  STOP  ) 

and  Closer(wi)  - i. 

Then,  it  is  relatively  trivial  to  prove  that: 

a)  Assoc (*) (s0, m0) 

b)  Assoc (*) (s, m)  I-  Canrunf  j)  (s,m) 

c)  Assoc (ft) (s, m)  h 

(Vk)  ( Range  (k)  — > Assoc (wk) (Exec (k)  (s,m) ) , 

Assoc (*) (Exec (k) (s,m) ) ) 

d)  Assoc(wi ) (s,m)  h 

(Vk)  ( k-i  — > Assoc (*) (Exec(k) (s,m)) , 

Assoc (wi ) (Exec(k) (s,m) ) ) 

which  is  easily  seen  to  satisfy  the  induction  predicates. 


To  simplify  proofs,  it  may  be  useful  to  partition  the  system.  He 
would  have  to  define  the  notion  of  an  "independent  partition",  and  then 
prove  that  if  <ml,...,mj>  was  an  independent  partition  of  m under  s, 
then 

Safe(s.ml),  ...,  Safe(s.mj)  H Safe(s,m) 


SCHEDULER  NOTES 

1)  As  noted  in  an  earlier  section,  scheduler  properties  depend 
heavily  on  3 and  M as  well  as  SCHED.  Since  future  behavior  of  the 
system  is  completely  determined  by  the  initial  system,  all  we  need 
do  ie  allow  the  scheduler  to  be  tailor  made  to  the  initial 
configuration.  Suppose  that  we  demand  that  in  the  initial  state  of 
the  system,  n < j o m0(j). LABEL  ■ STOP,  and  call  this  property 


Semantic  flodels  for  Parallel  Systems 


InittmB.n).1  The  use  of  n,  fixing  an  upper  bound  to  the  initial 
number  of  runnable  processes  allows  us  to  define  a recursive 
scheduler  prototype: 

PRQTOSCHEO  « N x S x H — > SCHEO 

and  a scheduler  maker 

Makesched:  PROTOSCHED  — > [ N x S x H — > SCHED  ) 


He  say  that  PR0T0SCHE0  is  fair  if 
Init(m0,n)  d Fai r (Makesched (protosched) (n, s0, m0) ) (s0,m0) 
and  similarly  for  other  properties. 

2)  Because  the  scheduler  gets  its  information  by  looking  at  EP’s,  EP 
must  be  a domain  over  which  a continuous  predicats  Is  defined  so 
that  the  scheduler  can  actually  look  at  the  components  of  the  EP.  Hence, 
the  various  FORfl's  of  the  EP  are  specified  as  NAHEs  and  list  of 
ARGuments,  rather  than  directly  as  functions. 

CONCLUSION 

He  have  introduced  a semantic  model  for  parallel  systems  and  have 
presented  a number  of  properties  of  parallel  systems  based  on  the  model 
as  well  as  some  proofs  and  proof  rules. 


The  development  uith  the  most  potential  appears  to  be  the  conjectured 
induction  rule  based  on  well  founded  sets  As  Cadiou  & Levy  note,  LCF 
proofs  force  the  program  prover  to  (sometimes  tediously)  explicate  all 
the  possible  states  of  the  system.  To  make  proofs  of  complex  parallel 
programs  more  tractable,  and  especially  to  make  the  proofs  more  amenable 
to  automatic  verification,  it  seems  clear  that  some  (elegant)  embedded 
or  externally  imposed  (see  [flilner  & Ueyrauch  72] ) structure  is 
critical.  Hell  founded  sets  may  be  a useful  structure  for  proofs  of 
deadlock;  for  other  properties  of  parallel  programs,  further  exploration 
is  necessary. 

There  is  a different  kind  of  structuring  choice  more  directly  related 
to  this  paper  - what  can  be  an  indivisible  operation  embodied  by  an  EP? 
If  we  assume  an  implementation  on  a sequential  machine,  the  safest 
choice  is  the  smallest  action  that  cannot  be  Interrupted.  The  obvious 
difficulty  is  that  sequential  machines  are  rare;  even  conventional 
machines  often  have  an  I/O  processor  and  both  may  simultaneously  be 
accessing  memory.  At  best  machines  that  use  cycle-stealing  force  us  to 
safely  choose  as  indivisibje  actions  those  which  take  place  in  a single 
cycle. 


Semantic  Models  for  Parallel  Systems 


Ue  have  assumed  in  this  paper  that  actions  as  complex  as 
synchronization  operators  may  be  vieued  indi visibly  and  thus  our  proofs 
must  therefore  be  viewed  as  correct  only  for  models  in  which  that  is  the 
case,  thus  we  separate  the  model  of  indivisibility  from  its 
implementation.  In  the  cace  of  a multiprocessor,  the  code  implementing 
synchronization  may  be  running  in  parallel  with  other  processes,  perhaps 
even  executing  the  same  code.  Uhat  must  be  shown  in  such  a case  is  that 
the  model  of  indivisibility  is  nonetheless  valid  regardless  of  such 
concurrency  as  may  be  introduced  by  the  implementation.  Such  proofs  are 
beyond  the  scope  of  this  paper. 

A somewhat  serious  deficiency  of  the  scheduler  model  (and  other  models 
as  well)  is  its  inability  to  model  time  dependent  behavior  - for  example 
timer  interrupts  in  programming  systems  and  timing  considerations  in 
machine  architecture.  While  the  nature  of  problems  to  be  studied  with 
respect  to  time  dependencies  would  likely  call  for  a different  model  In 
any  case,  proving  the  correctness  of  something  like  a 
mu  I t i p I exor /schedu I er  for  a multiprocessor  would  likely  require  a 
scheduler  model  modified  in  some  way  to  handle  time  dependencies. 

Perhaps  the  most  serious  problem  with  the  model  described  here  is  in 
the  nature  of  the  assumptions  made  about  how  processes  interact  (or 
should  interact).  A formal  semantics  for  a sequential  programming 
language  with  structured  control  provides  a better  base  for  various 
proofs  than  a semantics  for  a language  with  GOTO’s.  Similarly,  suitably 
restricted  interactions  between  processes  should  provide  a better 
semantic  system  than  the  one  described  here  in  which  arbitrary 
interactions  are  allowed.  A solution  is  to  provide  additional  axioms 
uh i ch  restrict  the  possible  schedules.  P/V  disciplines  are  too 
unstructured.  Work  along  the  lines  of  Path  expressions  [Campbell  & 
Haberman  74]  appear  to  be  more  promising  in  providing  a semantic  basis 
in  uh i ch  proofs  wi 1 I be  less  tedious. 
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APPENDIX 


The  proofs  here  are  presented  as  a series  of  Lemmas.  Except  for  so 
difficult  cases,  an  outline  of  the  proof  of  each  Lemma  is  all  that  ib 
given.  Only  two  inductive  proof  rules  are  used  here.  Computational 
Induction  [Milner  S Viullemin  72,  Manna  721  and  Mathematical 
[Manna  721 . 


Induct  ion 


He  u.ie  the  abbreviations  introduced  by  Milner  [Milner72I. 
a ::  b i c for  (a  -->  b,uu)  s (a  — > c.uu). 
and  3(x)  is  the  definedness  predicate, 
d(uu)  * uu,  otherwise,  3(x)  ■ tt.  We  also  use 
t (a)  <-«  a -->  tt , uu. 

We  also  assume  an  extended  LCF  theorem  prover  with  a knowledge 
of  arithmetic  (see  axioms  by  Newey  [Newey  731)  built  in 
and  -therefore,  when  we  are  clearly  dealing  with  a- natural  number 
we  dispense  with  the  additional  predicate  isnat,  e.g. 
we  write  a : : b(n)  £ c(n)  instead  of 
a a isnat(n)  ::  b(n)  e c(n). 


We  have  not  formally  shown  that  Computational  Induct1' on  is 
legitimate  as  we  use  it  over  the  domains  introduced  in  this 
paper.  A proof  in  the  style  of  Scott  [Scott  721  is  left  to 

the  reader. 

' We  use  [Kahn  731  as  a general  concatenation  operator,  and 

leave  proofs  about  its  obvious  properties  to  the  reader. 


THEOREM  1 

. Ful  I (Fu I I sched(sched) ) (s,m) 

Fu  I I ached  (sched)  <■■  Ms,m)  .Kf  s (schad,  0)  (s,m) . 

Kfs(sched.n)  (s,m)  o*  . 

Let  <s’ ,m’ ,sched’>  be  Desc(s,m, sched)  (Kfn(s,m, sched)  In))  in 

< sched’  (s’,  m’).N,  Fu  1 1 sched  (sched’ (s’ ,m’ ) .SCHED)  > 

Kfn (s,  m,  sched)  (n)  <== 

Cr  (Desc  (s,m,  sched)  (n) ) — > n, 

Kfn(s,m, sched) (n+1) . 

Desc (s, m,  sched)  (n)  <== 
g - 0 — > <s,m,sched>, 

Next (Desc(s,m, sched) (n-1) ) . 

Cr  (s.  m,  sched)  <*«  Canrun(sched(s,m) ,N) (s,m). 
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Aex(j,s,m)  <—  Exec(Act ion( j)  (m) ) (s, m) . 


LEMMA  1 

Next (s, m, sched)  s 

-Cr  (s,m,  sched)  -->  < s,  m,  sched (s,m) .SCHED  >, 

< Aex (sched (s, m) .N, s, m) , sched(s,m) .SCHED  >. 
Proof:  by  definitions 

LEMMA  2 

-Cr  (Desc  (s,  m,  sched)  (n) ) :: 

□esc  (s,  m,  sched)  (n)  .SM  a Desc(6,m, sched) (n+1) .SM 
Proof:  Defined  of  Desc  & Lemma  1 


LEMMA  3 

Canrun (K f s ( sched, n) (s, m) . N) (Desc (s, m, sched) (n) . SM)  C tt 

Proof:  Substitute  Defn  of  Kfs,  then  use  Computational 
Induction  on  Kfn,  using  Lemma  2 & Defn  of  Cr 

LEMMA  3a 

Canr  un  (Full sched(sched) (s,m) .N) (s,m)  C tt 

LEMMA  3b 

Qr(s,mtFul  I sched (sched) ) £ tt 
LEMMA  4 

Desc  (s.m,  sched) (Kfn(s,m, sched) (n)).SM  C Desc (s,m, sched) (n).SM 
Proof:  Comp  ind  on  Kfn  using  Lemma  2 

LEMMA  4a 

Desc  (s,  m,  sched)  (Kfn(s,m,  sched)  (0))  .SM  C <s,m> 

LEMMA  5 

Cr  (Desc  (s,  m,  sched)  (Kfn(s,m,  sched)  (n)))  a 

Canrun  (Kfs(sched,n) (s,m)  .N) (Desc(s,m, sched) (n)  .SM) 

Proof:  Oefn  of  Kfs  & Cr  and  Lemma  4 

LEMMA  5a 

Cr  (Desc  (s,  m, sched) (Kfn (s,m, sched) (n) ) ) C tt 
Proof:  Lemmas  3 & 5 

LEMMA  5b  • 

Cr (Desc  (s,m, sched) (Kfn(s,m, sched) (0)))  ■ Cr (Ful I sched (sched) , s, m) 

LEMMA  5 

Next  (s.m.Ful  Isched(sched) ) * 

Let  <s’ , m’ , sched* > be  Desc(s, m, sched)  (Kfn(s,m, sched) (0)+l)  in 
< e’ , m*,  Ful I sched (sched*)  > 

Proof: 
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Next  (s,m,Ful  I sched (sched) ) 


Cr  (s.m.Ful  I sched  (sched) ) — > crupn  > 

< Aex (Fu I I sched (sched) (s, m) .N, 8, m) , Ful I sched(sched) (s, m) .SCHED  , 

uu.  Lemma  1 & 3b 

Cr  (s.m.Ful  I sched  (sched) ) -->  ,UBn  . 

Let  <s, m’ , sched* > be  Desc(s,m,  sched)  d\C®)  cChed)  > 

< Aex (sched* (s’ ,m’ ) .N, s,m) , Ful I sched (sched  (s  ,m  ). SCHED)  >, 

uu.  Defn  of  Fullsched,  Kfs 

Let  <s’,m’, sched’ > be  Desc(s,m, sched) (Kfnjs.m, sched) (0) ) In 

Cr  (s’ ,m* .sched’ ) — > < Aex (sched’ (s’ , m’ ) .N, s ,m  ), 

Fu I I sched (sched’ (s' ,m' ) .SCHED)  >* 
uu.  Lemmas  4a  & Sb 

, Let  <s’ , m’ , sched’ > be  Desc(s.m, sched) (Kfnjs.m. sched) (0))  in 

< Next (s’, m\ sched’ ).SM,  Ful I sched (Next (s  ,m  .sched  ). SCHED)  >. 

Lemmas  1 & 5a 

. Let  <s\«\eched>>  be  Dearie, eched) Kfn(s,»,ached) (01+1)  in 

< «•.  Fut  I eched (ached* ) > Defined  of  Deec  QED  . 


Proof  of  THEOREM  1 

Ful  I (Ful  I sohed(sched) ) (s.m)  by  Defn  of  Full,  we  must  prove 


Runnab I e ( j , k) (s.m.Ful I sched (sched) ) C tt* 

Proof;  Computational  lnd  on  Runnable 

( j , Ful  I eched  (eched)  (e,m) ,N  or  Canrunl j) le.e)  or  -Canrunlk) (e,m)  I 
# Runnable(j.k)  (Next (s, m, Ful I sched (sched) ) ) 

c tt  U Runnable(j.k) (Next (s.m.Ful I sched (sched) ) ) Lemma  3a 


tt  H Let  <s*  ,m*  ,eched*>  be  Oeecte.m.eched)  (l«nle,», eched)  (01+1) 
Runnabletj, kits’, «' .Full echedteched  I)  Lemna  G 


in 


C tt  tt  tt*  Induction 


* 1 1 * 


THEOREM  2 

Run (jMs.m,  sched)  ■ Run(j)  (s.m.Ful  I eched)) 

Kb  I (j)  (s.m, sched)  <«  T(  (j  - sched  (e,  m)  .N)  a Canrunt  j)  (s.m)  ) 
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Co  I ( j) (s, m, sched) (n)  <*■ 
n - 0 -->  <>, 

Col  ( j)  (s,m,  sched) (n-1)  tt  Rbl (j) (Desc (s, m, sched) (n-1)). 

Crun( j) (s,m, sched)  <=»  Let  n be  Kfn(s,m, sched) (0)  + 1 in 
Col  (j)  (s,m, sched) (n)  U Crun(j) (Desc (s, m, sched) (n)). 


LEMMA  7 

Desc  (Desc  (s,  m,  sched) (a) ) (b)  « Desc (s, m, sched) (a+b) 

Proof:  Math  Ind  on  b 

LEMMA  8 

d(Desc  (s,  m,  sched)  (n+k) ) E 3 (Desc  (s,  m,  sched)  (n) ) 

Proof:  Lemma  7 & Axioms  for  3 

LEMMA  9 

k < n a Cr  (Desc(s,m, sched) (n) ) o Kfn (s, m, sched) (n-k)  < n 
Proof:  Math  Ind  on  k using  Lemma  8 

LEMMA  9a 

Cr  (Desc  (3,  m,  3ched) (n) ) d Kfn(s,m, sched) (0)  S n 

LEMMA  10 

Rb I ( j ) (s,  m,  sched)  E t (Cr (s, m, sched) ) 

Proof:  Defn  of  Rbl  8 Cr 

LEMMA  11 

n S Kfn  (s,  m, sched)  (0)  ::  Col (j) (s,m, sched)  (n)  ■ <> 
Proof:  Math  Ind  on  n using  Lemma  9a  8 10 

LEMMA  11a 

Co  I ( j ) (s,  m,  sched)  (Kfn (s,m, sched) (0) ) ■ <> 

LEMMA  12 

Rbl  ( j)  (s.m.Ful  I sched(sched) ) * 

Rbl  ( j ) (Desc (s, m, sched) (Kfn (s,m, sched) (0) ) 

Proof:  Lemma  5b  & Defn  of  Fullsched 

LEMMA  13 

Rbl  (s,m,Ful  I 3ched(sched) ) s 

Col  ( j)  (s,m,  sched) (Kfn(s,m, sched)  (0)+l) 

Proof:  Lemmas  11a  8 12  by  Defn  of  Col 

THEOREM  2a 

Run  ( j)  (3,  m,  Fu II sched(sched) ) ■ Crun( j) <s,m, sched) 

Proof:  Parallel  Comp  Ind  on  Run  8 Crun 
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LEMMA  14 

Run ( j ) (s, m, sched)  s 

• Col  (j)  (s.m,  sched)  (s,m,  sched)  (n)  tt  Run(  j)  (Desc(s,m,  sched)  (n) ) 

Proofs  Math  Ind  on  n 

LEMMA  15 

9 (Run  ( j ) (Descts.m,  sched)  (n) ) E 3(Kfn{s,m,  sched)  (n) ) 

Proof:  Paral lei  Comp  Ind  on  Run  & Kfn  using  Lemmas  7 & 10 

LEMMA  1G 

Run(j) (s, m, sched)  s Let  n be  Kfn(s,m, sched) (0)  + 1 in 
Col  ( j ) (s , m,  sched)  (n)  tt  Run  ( j)  (Oesc  (s,  m,  sched)  (n) ) 

Proof:  By  cases  of  3 (Kfn(s, m, sched) (0) ) using  Lemmas  14  & 15 

THEOREM  2b 

Run(j)  (s,m,  sched)  s Crun(j) (s,m, sched) 

Proof:  Parallel  Comp  Ind  on  Run  & Crun  Using  Lemma  16 

Proof  of  THEOREM  2 

Run ( j ) (s.m,  sched)  = Run(j) (s.m.Ful I sched ( sched) ) 

Proof:  Theorem  2a  & 2b 

■ THEOREM  3 

Infcan(j)  (s.m.Ful  I sched  (sched) ) E Infcan(  jMs.m,  sched) 

Proof:  Similar  to  proof  or  Theorem  2 
u i thout  use  of  Lemmas  11  & 11a  and 
ueaker  versions  of  Lemma  13  and  Theorem  2a 

f 

I 


i 


Semantic  Models  for  Parallel  Systems 


TIMINGS 

The  Scheduler  formalism  used  in  this  paper  i9  related  closely  to 
the  Timings  that  appear  in  Lipton’s  work.  The  following  section 
clarifies  the  relationship. 


SEP  - EP  + (STOP! 

TIMING  - {<>)  + ( N x SEP  ) x TIMING 

Thus,  a Timing  is  a list'of  EP’s  (or  (STOP}),  with  each  EP 
associated  the  index  of  the  process  that  executed  it. 

Since  a timing  is  a list,  there  ara  three  functions  predeclared  with 
the  usual  interpretation: 

Car:  TIMING  — > N x SEP 
Cdr : TIMING  — > TIMING 
Empty:  TIMING  — > TT 


History:  S x M x SCHEO  ~>  [ N — > TIMING  ] 

H i story (s, m, sched) (k)  <== 
k *■  0 -->  {<>) , 

Let  n be  sched(s,m).N  in 
Let  sep  be 

m(n). LABEL  = STOP  — > STOP,  Action(n)  (m) 
i n 

< <n,sep>,  Hi story(Next (9,m, sched) ) (k-1)  >, 

Apply:  SEP  -->  I S — > S 1 

Apply(sep) (s)  <■- 
sep  = STOP  — > s, 

'Let  < <syname,  syargs>,  <stname,  stargs>,  <cname,cargs>  > be  sep  in 
Synchfn (9yname)  (syargs)  (s)  — > Statefn(9tname)  (stargs)  (s)  ,S,  s. 


Value:  TIMING  — > C S — > S ] 

Va I ue ( t i m i ng) ( s ) <«* 

Empty  (timing)  — > s,  Value(Cdr ( t iming) ) (Apply (Car (t iming) . SEP)  (s) ) . 


Ue  use  the  predicate  "Valid"  for  what  Lipton  call9  "Semi-Active" 

Val id (timing) (s,m)  iff 

(39ched,k)  ( Hi9tory(s, m, sched) (k)  - timing  ) 


Active:  TIMING  — > I S -->  TT  ) 

Act i ve ( t im i ng) ( s ) <■■ 

Empty (timing)  -->  tt, 

Let  < <n,sep>,  r timing  > be  timing  in 
sep  «=  STOP  — > ff, 

Let  <syname, syargs>  be  sep. SYNCHFORM  in 
• --Synchf n (syname)  (syargs)  — > ff, 

Act  i ve (r  t im ing) (Apply (sep) (s) ) . 


Timings  form  a partial  order  described  in  the  following  way: 

s:  TIMING  x TIMING  — > TT 

tl  < t2  <=» 

Empty(tl)  — > tt, 

Empty(t2)  — > ff, 

Let  < <nl , el>,  rtl  > be  tl  and  < <n2,e2>,  rt2  > be  t2  in 
nl  * n2  /\  el  **  e2  — > rtl  S rt2,  ff. 


Conjecture: 

Val  id(timing)  (s,m»  > Active(timing)  (s)  iff 

(3k,  Bched)  ( Fu I I (sched) (s, m)  n History(s,m,sched) (k)  - timing  ) 
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